{{- if .Values.ingress.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "kuma.name" . }}-ingress
  namespace: {{ .Release.Namespace }}
  labels: {{ include "kuma.ingressLabels" . | nindent 4 }}
spec:
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  {{- if not .Values.ingress.autoscaling.enabled }}
  replicas: {{ .Values.ingress.replicas }}
  {{- end }}
  selector:
    matchLabels:
      {{- include "kuma.selectorLabels" . | nindent 6 }}
      app: {{ include "kuma.name" . }}-ingress
  template:
    metadata:
      annotations:
        kuma.io/ingress: enabled
        {{- range $key, $value := merge .Values.ingress.podAnnotations .Values.ingress.annotations }}
        {{ $key }}: {{ $value | quote }}
        {{- end }}
      labels:
        {{- include "kuma.ingressLabels" . | nindent 8 }}
    spec:
      {{- with .Values.ingress.affinity }}
      affinity: {{ tpl (toYaml . | nindent 8) $ }}
      {{- end }}
      {{- with .Values.ingress.topologySpreadConstraints }}
      topologySpreadConstraints: {{ tpl (toYaml . | nindent 8) $ }}
      {{- end }}
      securityContext:
      {{- toYaml .Values.ingress.podSecurityContext | trim | nindent 8 }}
      serviceAccountName: {{ include "kuma.name" . }}-ingress
      automountServiceAccountToken: {{ .Values.ingress.automountServiceAccountToken }}
      {{- with .Values.ingress.nodeSelector }}
      nodeSelector:
      {{ toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.ingress.tolerations }}
      tolerations:
      {{ toYaml . | nindent 8 }}
      {{- end }}
      terminationGracePeriodSeconds: {{ .Values.ingress.terminationGracePeriodSeconds }}
      containers:
        - name: ingress
          image: {{ include "kuma.formatImage" (dict "image" .Values.dataPlane.image "root" $) | quote }}
          imagePullPolicy: {{ .Values.dataPlane.image.pullPolicy }}
          securityContext:
          {{- toYaml .Values.ingress.containerSecurityContext | trim | nindent 12 }}
          env:
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: KUMA_CONTROL_PLANE_URL
              value: "https://{{ include "kuma.controlPlane.serviceName" . }}.{{ .Release.Namespace }}:5678"
            - name: KUMA_CONTROL_PLANE_CA_CERT_FILE
              value: /var/run/secrets/kuma.io/cp-ca/ca.crt
            - name: KUMA_DATAPLANE_DRAIN_TIME
              value: {{ .Values.ingress.drainTime }}
            - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH
              value: /var/run/secrets/kubernetes.io/serviceaccount/token
            - name: KUMA_DATAPLANE_PROXY_TYPE
              value: "ingress"
          args:
            - run
            - --log-level={{ .Values.ingress.logLevel | default "info" }}
          ports:
            - containerPort: 10001
          livenessProbe:
            httpGet:
              path: "/ready"
              port: 9901
            failureThreshold: 12
            initialDelaySeconds: 60
            periodSeconds: 5
            successThreshold: 1
            timeoutSeconds: 3
          readinessProbe:
            httpGet:
              path: "/ready"
              port: 9901
            failureThreshold: 12
            initialDelaySeconds: 1
            periodSeconds: 5
            successThreshold: 1
            timeoutSeconds: 3
          resources: {{ toYaml .Values.ingress.resources | nindent 12 }}
          {{ with .Values.ingress.lifecycle}}
          lifecycle: {{ . | toYaml | nindent 12 }}
          {{ end }}
          volumeMounts:
{{- if not .Values.ingress.automountServiceAccountToken }}
            - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
              name: serviceaccount-token
              readOnly: true
{{- end }}
            - name: control-plane-ca
              mountPath: /var/run/secrets/kuma.io/cp-ca
              readOnly: true
            - name: tmp
              mountPath: /tmp
      volumes:
{{- if not .Values.ingress.automountServiceAccountToken }}
        - name: serviceaccount-token
          projected:
            defaultMode: 420
            sources:
              - serviceAccountToken:
                  expirationSeconds: 3600
                  path: token
              - configMap:
                  name: kube-root-ca.crt
                  items:
                    - key: ca.crt
                      path: ca.crt
              - downwardAPI:
                  items:
                    - fieldRef:
                        apiVersion: v1
                        fieldPath: metadata.namespace
                      path: namespace
{{- end }}
        - name: control-plane-ca
          secret:
            secretName: {{ include "kuma.controlPlane.tls.general.caSecretName" . }}
            items:
              - key: ca.crt
                path: ca.crt
        - name: tmp
          emptyDir: {}
{{- end }}
